Prevent X-Forwarded-For spoofing

The XFF option in the HTTP profile is an insert, so yes it will allow spoofing. What you need is a replace function:

when HTTP_REQUEST {
    foreach x [HTTP::header names] {
        if { $x equals "X-FORWARDED-FOR" } {
            HTTP::header remove X-FORWARDED-FOR
            HTTP::header replace X-FORWARDED-FOR [IP::client_addr]
        }
    }   
}

Hrm, so I copied this into an iRule verbatim and applied it to my Virtual Server as the first rule in line. I then removed the X-Forwarded-For option form my http profile and still the same behavior. What am I missing? Thanks for your help!

Is it that you're injecting additional (spoofed) X-FORWARDED-FOR headers in the client request and still see these arriving at the server?

Yes, that is exactly right. I am using a spoofing plugin via Firefox to insert a spoofed X-Forwarded-For header. Then, in sniffing the traffic coming from the F5, the spoofed headers are still there and Apache is happy to log them. So my machine at 192.168.x.x shows up via X-Forwarded-For as my spoofed IP 1.2.3.4

Could it be a case thing?

when HTTP_REQUEST {
    foreach x [HTTP::header names] {
        if { [string tolower $x] equals "x-forwarded-for" } {
            HTTP::header remove $x
            HTTP::header replace X-FORWARDED-FOR [IP::client_addr]
        }
    }   
}

So it is indeed a case thing as changing it to camel case identically as I had it in the plugin worked. How do we deal with the 1001 different forms of case? X-Forwarded-For, X-FORWARDED-FOR, x-forwarded-for, X-forwarded-for, x-Forwarded-for, x-Forwarded-for etc etc. Is there an equivalent to 'grep -i'?

Bah, I completely missed that. Yes it does work. Thanks so much. In the mean time I was mucking around with -nocase, but that is certainly a much more elegant solution.

However, is this not inefficient? It appears to remove the headers inserted by the HTTP profile too and not just outside headers. So perhaps an if exists, replace, else, insert and completely forgo the insert via the HTTP policy? Would this work? (or some permutation as I am by no means a TCL guy)

when HTTP_REQUEST {
foreach x [HTTP::header names] {
if { [string tolower $x] equals "x-forwarded-for" exists}
then
    if { [string tolower $x] equals "x-forwarded-for" } {
        HTTP::header remove $x
        HTTP::header replace X-FORWARDED-FOR [IP::client_addr]
    }
    else
    {HTTP::header insert X-FORWARDED-FOR [IP::client_addr]}
} 

}

The [HTTP::header names] command produces a list that you're going to iterate through. The HTTP::header remove $x command inside that loop only removes the offending header and inserts/replaces with a new one of your choosing. Any other headers will remain untouched.

Right, but won't the HTTP policy then also put on an addition X-Forwarded-For header? My thought is an iRule to do it all.

Basic logic now:

If a header exists coming in, remove and create your own.

THEN

HTTP policy adds another header.

I am thinking a single rule that works like:

If a header exists coming in, remove and create your own. Else if no header, create your own.

THEN

HTTP policy does nothing regarding XFF headers.

Right, but won't the HTTP policy then also put on an addition X-Forwarded-For header? My thought is an iRule to do it all.

You must remove the XFF option from the HTTP profile.